Lost State Error -- Coming Back To SP From IDP Authentication

[Shane Jeffery]

I have been getting this error for 3 days now and I cannot find a fix for it.

I have tried every possible configuration setup and even starting over with setting up the IDP/SP.

The IDP and SP are located on the same server, different directories, and each has their own virtual host / domain.

I know that this is a session problem, but I am at a loss of how to fix it.

What is working:

1) Go to the SP and the SP kicks over the IDP.

2) IDP prompts for a login (I am using SQL for authentication).

3) Give it the correct login (it creates a valid session -- says so in the simplesamlphp.log under the IDP) and it then redirects me to: https://[mydomain.com]/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp

Once I get to redirected back to the SP, the Lost State error pops up.

What I have tried:

1) Setting session.cookie.domain to the same top level domain under the IDP and SP.

2) Setting the session.phpsession.savepath to the /tmp/ for the server for both the IDP and SP.

3) Setting the session.phpsession.cookiename to a unique name that matches for both the IDP and SP.

The certificates on the server are created for both the IDP and SP and are both under their respective cert directories.

When I use the session.cookie.domain and set it to the top level domain for both the IDP and SP, I get the following two cookies when I look at the cookies on the SP when it comes back with the 'State Information Lost' error:

PHPSESSID & SimpleSAMLAuthToken

When I don't use any session.cookie.domain and leave it null, the SimpleSAMLAuthToken is no longer there.

Any ideas about other things that I can try because I am completely out of ideas.

Thanks!

[Matthew Slowe]

On 13 May 2013, at 19:52, Shane Jeffery <shane.j...@gmail.com>
wrote:

> I have been getting this error for 3 days now and I cannot find a fix for it.
>
> I have tried every possible configuration setup and even starting over with setting up the IDP/SP.
>
> The IDP and SP are located on the same server, different directories, and each has their own virtual host / domain.
>
> I know that this is a session problem, but I am at a loss of how to fix it.

Shane,

Just a thought... Assuming that you have two distinct instances of SimpleSAMLphp, the IDP and SP are separate applications for the purposes of cookies so should be kept apart.

Try setting the cookie name to include a distinction between them ("IDP" and "SP", perhaps?). Might also be worth keeping the on-disk store separate too.

Get a tracer (Firefox has SAMLtracer) plugin for your browser which can make debugging this sort of thing a lot easier as you can see precisely what's going back and forth.

Hope that helps,
--
Matthew Slowe

[Shane Jeffery]

Thank you for the response Matthew.

What cookies should exist on each side, especially after the authentication is validated by the IDP?  Because all I see on the SP side is the session cookie for the SP and nothing else.

I changed the name of the cookie for the SP (now session-sp) and IDP (now session-idp).

Thanks!

[Shane Jeffery]

I am using the top level domain (.[mydomain].org) along with unique phpsession.cookiename's and still getting the same error.

I have 3 cookies when I come back from the IDP authentication:

session-sp

session-idp

SimpleSAMLAuthToken

Each of these have a domain of '.[mydomain].org'.

I just don't understand how the state is getting screwed up and where it is getting screwed up.

[Raghu]

Hi Shane,

I have encountered this problem in the past due to 2 reasons

1. If the URL's the request and response assertions are different...in my case my request was getting generated from http and response was getting back to https.

2. I was using Memcache as a session caching server. Whenever that server was down, i had this issue, restarting this fixed the problem

Hope this helps

Cheers

Raghu

[Shane Jeffery]

It sounds like this could possibly be a certificate issue then.

What does the SP need and what does the IDP need in term of certs?

All I have done is created the .crt and .pem files in the cert directory under the IDP like it says to do under the install guide on the simpleSAMLphp site.  Is there more that I need to do? Do I need to add anything to my .conf file for the virtual host?

I am just trying to make sure that I have taken every needed step as both of the sites that are communicating are SSL-based.

Thanks!

[Shane Jeffery]

Using the SAML Tracer this is what the SAML code looks like for the interactions between the SP and IDP (Figure this may help!):

Initial SP Page Load

HTTP Part

GET https://test-login.viedu.org/simplesaml/saml2/idp/SSOService.php?SAMLRequest=pVLBbtswDP0VQ3dHtjcnjpAEyBoUDdCtQZ3tsMugWHQiQJY8kWq3v59sd0A7FLnsQgGPfHxPD1yh7EwvtoEu9hF%2BBkBKfnXGohgbaxa8FU6iRmFlByioEfX2870oZpnovSPXOMNeUa4zJCJ40s6yZL9bsx9VlbdNVn6cVyqT7TyvFlV2ak5lC2q5WJyW5TIrq%2FlQWfINPEbmmsVFkY4YYG%2BRpKUIZfmHNCvTvDzmS5Floph%2FZ8ku%2FkZbSSPrQtSj4JwimBp31nb2pEGFmfNnjrrrDQz%2B%2BVAKrlXP6%2FqhBv%2BkG5j1l54l27%2Fmb5zF0IF%2F6X59vH%2B7vkiNDLa59FK9r9E5Fcy4lU%2Ba01ukssERVdDKYCjFKHt4SfmTtkrb8%2FWAT9MQirvj8ZAeHuoj26yG3WIMzG%2F%2B12cHJJUk%2BY%2FNFX8tspqu6ku0t98dnNHN7%2BTW%2BU7SdfcDolXajqOCvLSowVKM3hj3fONBEqwZ%2BQCMbybJt7e7%2BQM%3D&RelayState=https%3A%2F%2Ftest2-launchpad.viedu.org%2F HTTP/1.1
Host: test-login.viedu.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:20.0) Gecko/20100101 Firefox/20.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate

HTTP/?.? 302 Found
Date: Wed, 15 May 2013 19:00:27 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Set-Cookie: session-idp=d9e11f09e942f5a68f8b78602156bafe; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Location: https://test-login.viedu.org/simplesaml/module.php/core/loginuserpass.php?AuthState=_e7c4eb32674627c569345237d8a7cd1eb6b2f703d1%3Ahttps%3A%2F%2Ftest-login.viedu.org%2Fsimplesaml%2Fsaml2%2Fidp%2FSSOService.php%3Fspentityid%3Dhttps%253A%252F%252Ftest2-launchpad.viedu.org%252Fsimplesaml%252Fmodule.php%252Fsaml%252Fsp%252Fmetadata.php%252Fdefault-sp%26cookieTime%3D1368644427%26RelayState%3Dhttps%253A%252F%252Ftest2-launchpad.viedu.org%252F
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 573
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

SAML Part

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                    ID="_881fc05468d0af618780bcb5fed977b95905865905"
                    Version="2.0"
                    IssueInstant="2013-05-15T19:00:26Z"
                    Destination="https://test-login.viedu.org/simplesaml/saml2/idp/SSOService.php"
                    AssertionConsumerServiceURL="https://test2-launchpad.viedu.org/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp"
                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                    >
    <saml:Issuer>https://test2-launchpad.viedu.org/simplesaml/module.php/saml/sp/metadata.php/default-sp</saml:Issuer>
    <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
                        AllowCreate="true"
                        />
</samlp:AuthnRequest>

Response After Successful Database Authentication At IDP

HTTP Part

POST https://test2-launchpad.viedu.org/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp HTTP/1.1
Host: test2-launchpad.viedu.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:20.0) Gecko/20100101 Firefox/20.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://test-login.viedu.org/simplesaml/module.php/core/loginuserpass.php?
Cookie: session-sp=781ca633bebe3fa7dc6fe109a1622df4
Content-Type: application/x-www-form-urlencoded
Content-Length: 11179

HTTP/?.? 500 Internal Server Error
Date: Wed, 15 May 2013 19:00:41 GMT
Server: Apache
X-Powered-By: PHP/5.3.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 1634
Connection: close
Content-Type: text/html

SAML Part

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
                ID="_9cab2bc704dea5ccf17f7832f3e388fb5152f362e3"
                Version="2.0"
                IssueInstant="2013-05-15T19:00:41Z"
                Destination="https://test2-launchpad.viedu.org/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp"
                InResponseTo="_881fc05468d0af618780bcb5fed977b95905865905"
                >
    <saml:Issuer>https://test-login.viedu.org/simplesaml/saml2/idp/metadata.php</saml:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <ds:Reference URI="#_9cab2bc704dea5ccf17f7832f3e388fb5152f362e3">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                <ds:DigestValue>mibH8at6j2O8jVhGLgumjTXHDQA=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>jN1RgH7kS4fn0JvZyQ+ZVBdcPtELInVwDhtCh6Vn+Gscb/e9rYdP8ch1XPrTbgLC78LtZK2g8rBzgjz4nSbnSw5PQJbk4tx8sVHt1Yv/btn67ojQ0WzuH6ciCLG+FFPv9+7PILpoWxCqur8o0lt4loHmWlVPmunGruW8igvw2XCT1HRGJsNtJimzPl7iJ2uB/pvnGG+xeXfE4cHKskRfNrhIyTRZEKcYSk8I36cQZVtxn4axGI4bB6+GzCCqFAhnJ6D7aJQJbKEIEMsxTtgJnzIuBUsGYWDBFH/nVkyyc2TxhBsCDkHe8Hp/WBDw2VMeGgTxMDMy6+GU3t4zicoKEA==</ds:SignatureValue>
        <ds:KeyInfo>
            <ds:X509Data>
                <ds:X509Certificate>MIIEiTCCA3GgAwIBAgIJALHoWNR+Q4ijMA0GCSqGSIb3DQEBBQUAMIGJMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTClNhY3JhbWVudG8xHTAbBgNVBAoTFFZpc2lvbnMgaW4gRWR1Y2F0aW9uMRYwFAYDVQQDEw1TaGFuZSBKZWZmZXJ5MSEwHwYJKoZIhvcNAQkBFhJzamVmZmVyeUB2aWVkdS5vcmcwHhcNMTMwNTE1MTkwMDA5WhcNMjMwNTE1MTkwMDA5WjCBiTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQQHEwpTYWNyYW1lbnRvMR0wGwYDVQQKExRWaXNpb25zIGluIEVkdWNhdGlvbjEWMBQGA1UEAxMNU2hhbmUgSmVmZmVyeTEhMB8GCSqGSIb3DQEJARYSc2plZmZlcnlAdmllZHUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzhn/xG3qF5mymEA62yRaMREbcY2DCoJIBJvYrwCfbIDVzsYT9AJO7h/oRPi6YOkuhwiFWAbfOIEWB7wCKd0dDyKrFEBf1OXLBRnaPuki/cDLWfoow5yb34vqmp4nwDSBo9oL/+5wrp7OdPeLnls/6aJ4ldkoaSn7CBFJxWjEDLLPdLv5NCM7LLQHFw9KC5NZnFt28pfc7Dsv82uvSe/jWNnoVdEtxgIGpafGnX19mJCVK+vFHbFPkYCuUjgPHRuQWNchB9E0lEPe7HJj6VgNt0OgMyO2E4FocEAhcwFv7mItPLb6te/dtTW6WM5TSwohHEEFLmJ3I3CfT20smZF9FwIDAQABo4HxMIHuMB0GA1UdDgQWBBShe0w2LwEY4Utp9X/XeZLnQoktSTCBvgYDVR0jBIG2MIGzgBShe0w2LwEY4Utp9X/XeZLnQoktSaGBj6SBjDCBiTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQQHEwpTYWNyYW1lbnRvMR0wGwYDVQQKExRWaXNpb25zIGluIEVkdWNhdGlvbjEWMBQGA1UEAxMNU2hhbmUgSmVmZmVyeTEhMB8GCSqGSIb3DQEJARYSc2plZmZlcnlAdmllZHUub3JnggkAsehY1H5DiKMwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAq19NTKcltpVfZNDq88lN55df4PyAJUzOnn616M30mJuXaknwPJdcTIA4fbBZElneVKuJZd4jECr2H29eW82R75YSUvipnHFRc3Cn/sJCMHyh8+9m6WaGF8CwCTrBXsYZgy+6lgkfCZ69EbGevcMSZjO7pydvgp0aTKRNY1N99+DBc6cAxDQzTkiVcNpVbkMs9ifCNDHwyyLccQpiM6SveRcTeMKM6I/ei4yc6cE560SAwr9vSML0A5imkWFiCc0Ir8WqpgnbTbda9hfUbbhSbuOTqsDrw6NucxYWp/bDVeEXZ0Fy2NO4wrzPqcFwipPyCLOw3EX/gPnXnpgEvyzBmA==</ds:X509Certificate>
            </ds:X509Data>
        </ds:KeyInfo>
    </ds:Signature>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
    </samlp:Status>
    <saml:Assertion xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                    xmlns:xs="http://www.w3.org/2001/XMLSchema"
                    ID="_9240bece1923f15d6fb6a5d145d50fa955c9cb73b1"
                    Version="2.0"
                    IssueInstant="2013-05-15T19:00:41Z"
                    >
        <saml:Issuer>https://test-login.viedu.org/simplesaml/saml2/idp/metadata.php</saml:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                <ds:Reference URI="#_9240bece1923f15d6fb6a5d145d50fa955c9cb73b1">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                    <ds:DigestValue>J9PYLTXrPg1ZbTNIFEcvLUfi028=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>xtQ7ddPLJbh9wjR8AURkneZoAomexCwYyq8HmUF5tpZvhjp2gEQWazmt4o4ZY2IZbhepiv6cfI0OpxWZRWqEGSArgpEwgLkxYPo8ttfyWpENLh146qkLvP32RzZ6gb0wmuR3hOl0oEiNfXIBNsgYPY9Db9odi+hONGyZAkGIhbBH0gG9WQ8nI2DgNUNxGeW9Ms0UO9E46ZEkqr658fDU5vHJiT8rcGjeXDoMwzQzqERd+avjEMJ3dSifMpBEUY7LbqemkAEQtrePVz5laSzVVUpd3PgtcWiy4xnCkv+t7/EY27MXK4vO+9UMrvaGyVs9IT67qi/BSloYfFM3PMwmRg==</ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509Certificate>MIIEiTCCA3GgAwIBAgIJALHoWNR+Q4ijMA0GCSqGSIb3DQEBBQUAMIGJMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExEzARBgNVBAcTClNhY3JhbWVudG8xHTAbBgNVBAoTFFZpc2lvbnMgaW4gRWR1Y2F0aW9uMRYwFAYDVQQDEw1TaGFuZSBKZWZmZXJ5MSEwHwYJKoZIhvcNAQkBFhJzamVmZmVyeUB2aWVkdS5vcmcwHhcNMTMwNTE1MTkwMDA5WhcNMjMwNTE1MTkwMDA5WjCBiTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQQHEwpTYWNyYW1lbnRvMR0wGwYDVQQKExRWaXNpb25zIGluIEVkdWNhdGlvbjEWMBQGA1UEAxMNU2hhbmUgSmVmZmVyeTEhMB8GCSqGSIb3DQEJARYSc2plZmZlcnlAdmllZHUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzhn/xG3qF5mymEA62yRaMREbcY2DCoJIBJvYrwCfbIDVzsYT9AJO7h/oRPi6YOkuhwiFWAbfOIEWB7wCKd0dDyKrFEBf1OXLBRnaPuki/cDLWfoow5yb34vqmp4nwDSBo9oL/+5wrp7OdPeLnls/6aJ4ldkoaSn7CBFJxWjEDLLPdLv5NCM7LLQHFw9KC5NZnFt28pfc7Dsv82uvSe/jWNnoVdEtxgIGpafGnX19mJCVK+vFHbFPkYCuUjgPHRuQWNchB9E0lEPe7HJj6VgNt0OgMyO2E4FocEAhcwFv7mItPLb6te/dtTW6WM5TSwohHEEFLmJ3I3CfT20smZF9FwIDAQABo4HxMIHuMB0GA1UdDgQWBBShe0w2LwEY4Utp9X/XeZLnQoktSTCBvgYDVR0jBIG2MIGzgBShe0w2LwEY4Utp9X/XeZLnQoktSaGBj6SBjDCBiTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQQHEwpTYWNyYW1lbnRvMR0wGwYDVQQKExRWaXNpb25zIGluIEVkdWNhdGlvbjEWMBQGA1UEAxMNU2hhbmUgSmVmZmVyeTEhMB8GCSqGSIb3DQEJARYSc2plZmZlcnlAdmllZHUub3JnggkAsehY1H5DiKMwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAq19NTKcltpVfZNDq88lN55df4PyAJUzOnn616M30mJuXaknwPJdcTIA4fbBZElneVKuJZd4jECr2H29eW82R75YSUvipnHFRc3Cn/sJCMHyh8+9m6WaGF8CwCTrBXsYZgy+6lgkfCZ69EbGevcMSZjO7pydvgp0aTKRNY1N99+DBc6cAxDQzTkiVcNpVbkMs9ifCNDHwyyLccQpiM6SveRcTeMKM6I/ei4yc6cE560SAwr9vSML0A5imkWFiCc0Ir8WqpgnbTbda9hfUbbhSbuOTqsDrw6NucxYWp/bDVeEXZ0Fy2NO4wrzPqcFwipPyCLOw3EX/gPnXnpgEvyzBmA==</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
        <saml:Subject>
            <saml:NameID SPNameQualifier="https://test2-launchpad.viedu.org/simplesaml/module.php/saml/sp/metadata.php/default-sp"
                         Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
                         >_fe8ea0d8b4f54b8798eef6b2de0653e7560fec6676</saml:NameID>
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <saml:SubjectConfirmationData NotOnOrAfter="2013-05-15T19:05:41Z"
                                              Recipient="https://test2-launchpad.viedu.org/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp"
                                              InResponseTo="_881fc05468d0af618780bcb5fed977b95905865905"
                                              />
            </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2013-05-15T19:00:11Z"
                         NotOnOrAfter="2013-05-15T19:05:41Z"
                         >
            <saml:AudienceRestriction>
                <saml:Audience>https://test2-launchpad.viedu.org/simplesaml/module.php/saml/sp/metadata.php/default-sp</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2013-05-15T19:00:41Z"
                             SessionNotOnOrAfter="2013-05-16T03:00:41Z"
                             SessionIndex="_af14a3419c15dae0e59c52a7f677b00334d1fa63c7"
                             >
            <saml:AuthnContext>
                <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
        <saml:AttributeStatement>
            <saml:Attribute Name="NameID"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                            >
                <saml:AttributeValue xsi:type="xs:string">sjeffery</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="username"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                            >
                <saml:AttributeValue xsi:type="xs:string">sjeffery</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="password"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                            >
                <saml:AttributeValue xsi:type="xs:string">$1$10a45ndj$loW.SlmTHWWvj9nBGctWm/</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute Name="email"
                            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
                            >
                <saml:AttributeValue xsi:type="xs:string" />
            </saml:Attribute>
        </saml:AttributeStatement>
    </saml:Assertion>
</samlp:Response>

[Raghu]

If its a certificate issue, the system will complain that the certificates did not match.

Are you using any session storage servers like memcache?

R

[Shane Jeffery]

Hey Raghu.

No, I am using PHPSession for session storage.

- Shane

[Peter Schober]

* Shane Jeffery <shane.j...@gmail.com> [2013-05-13 20:52]:
> *What I have tried:*
>
> 1) Setting *session.cookie.domain* to the same top level domain under the
> IDP and SP.
> 2) Setting the *session.phpsession.savepath *to the /tmp/ for the server

> for both the IDP and SP.
> 3) Setting the session.phpsession.cookiename to a unique name that matches
> for both the IDP and SP.

Then undo all of that. The defaults are correct and sufficient.
SAML (including the SimpleSAMLphp implementation) has been designed
for cross-domain SSO, so there is no need to share /anything/ between
the IdP and SP.
(Along the lines of your thinking you'd have a requirement for all
IdPs and SPs to share a cookie domain. Or the same /tmp directory on
the same machine. Obviously that's not the case.)

> Any ideas about other things that I can try because I am completely
> out of ideas.

Not sure it will help, but since you didn't mention you already read
it here's the canonical piece on that error:
http://code.google.com/p/simplesamlphp/wiki/LostState
(For whatever reason it's not part of the SSP documentation.)
-peter